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REMARKS 

Claims 1-19 are pending. In the Office Action dated April 1, 2008, the Examiner 
rejected claims 1-2, 8-10, 15 and 17 under 35 U.S.C. § 102(b) as being anticipated by U.S. Patent 
No. 5,828,468 to Lee et al. ("Lee") and rejected claims 3-7, 1 1-14, 16 and 18-19 under 35 U.S.C. 
§ 103(a) as being unpatentable over Lee in view of U.S. Patent No. 6,654,787 to Aronson et al. 
("Aronson"). In view of the following remarks, reconsideration of the present application is 
respectfully requested. 

The disclosed embodiments of the invention will now be discussed in comparison 
to the prior art. Of course, the discussion of the disclosed embodiments, and the discussion of 
the differences between the disclosed embodiments and the prior art subject matter, do not define 
the scope or interpretation of any of the claims. Instead, such discussed differences are intended 
to provide assistance to the Examiner in appreciating the claim distinctions discussed thereafter. 

The disclosed example of the invention is a method and apparatus for detecting a 
spoofed network connection. In particular, embodiments of the invention are useful for detecting 
possible spoofed SMTP connections as are typically employed by spammers. Specifically, 
spammers spoof their IP address during SMTP connections to avoid having their spam traced 
back to them. In a typical scenario, a spammer will connect to an SMTP server using a spoofed 
IP address. The SMTP server responds with a greeting and that greeting is sent to the spoofed IP 
rather than to the actual IP of the spammer's machine. Even though the spammer doesn't receive 
the greeting (since it was sent to a different IP address), the spammer nevertheless continues 
communications with the SMTP server as if they had received the greeting. Due to limitations in 
the SMTP protocol, there is no means of verifying or ensuring that the spammer actually 
received the greeting and therefore detecting that a spammer has connected is more difficuh. 

In an embodiment of the invention, the scenario outlined above is changed to 
permit detection of a spoofed connection. In particular, embodiments of the invention will delay 
sending the greeting for some predetermined period of time after the connection has been 
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established. For example, suppose a bona fide client connects to the SMTP server. After 
connecting, an embodiment of the invention would delay sending the greeting to that client for a 
period of time. For example, the server could wait 5 seconds before sending the greeting. Since 
the client is bona fide, the client has no reason to further communicate with the SMTP server 
until such time as they receive the greeting. Once they receive the greeting, the session 
continues as per normal. 

On the other hand, suppose a spammer connects to the SMTP server using a 
spoofed IP. After connecting, an embodiment of the invention likewise delays sending the 
greeting for a period of time. After this period of time has lapsed, the SMTP server sends the 
greeting. However, since the spammer has connected with a spoofed IP, the greeting will be sent 
to the fake IP instead of to the spammer. Since the spammer will not and cannot receive the 
greeting, they simply continue the SMTP session as if they had received the greeting. Typically, 
the spammer will continue the session as soon as possible right after initiating the connection to 
save time and to permit sending as many spam emails as possible. In this scenario, therefore, the 
spammer will continue with the SMTP session and conmiunicate with the server even before the 
server has sent the greeting (due to the server purposely delaying transmission of the greeting). 
Embodiments of the invention recognize that receipt of this conmiunication prior to transmission 
of the greeting is a near certain sign that the connection is using a spoofed IP. Embodiments of 
the invention may then proceed based on the assumption that the spoofed connection is probably 
a spammer and take certain other actions as are described in detail in the specification. 

The Lee reference discloses methods and systems for managing a facsimile 
("fax") session over a digital data link and includes a spoofing operation where necessary. As is 
well known in the art, fax machines are designed to conmiunicate with one another via analog 
telephone lines. Modernization of telephone networks has created situations where intermediate 
links between two fax machines may be, and typically are, digital links. Lee discloses a system 
whereby a source fax machine is connected to a destination fax machine through two 
intermediate digital points of presence (POPs). Basically, the source machine connects to a 
source POP via normal analog voice telephone lines, the POP translates the analog fax 
transmission to digital data, the data is sent through the digital network to a destination POP that 



Page 6 of 1 1 



BRUCE L. BROWN JR. et al. PATENT 

Application No. 10/742,329 

Reply to Office Action of April 1, 2008 

is connected to the destination fax machine and that translates the digital data back into the 
analog fax transmission that is received by the destination machine. 

As with virtually all forms of data transmission, fax transmissions follow a certain 
protocol. Prior to sending the actual fax data to a destination fax machine, the source fax 
machine must first send a request to send to the destination machine and will wait for an 
acknowledgment from that machine prior to sending the fax data. The request and 
acknowledgement travel through the POPs and digital network just the same as the fax data 
itself. Lee discloses a system whereby the source POP will determine a maximum permissible 
time to wait for receiving the acknowledgement from the destination fax machine and if that time 
is exceeded, the POP will send a fake acknowledgement to the source machine thereby 
permitting the source machine to commence with transmission of the fax data. This "spoofing" 
of the acknowledgement permits the source fax machine to begin transmitting analog data to the 
source POP allowing the source POP to begin conversion of that data to digital data and, 
perhaps, buffering the converted data for subsequent transmission to the destination POP. If an 
actual acknowledgement is subsequently received by the source POP as relayed to it by the 
destination POP, then the buffered data may be transmitted to the destination POP for translation 
and retransmission to the destination fax machine. It is important to note that although Lee 
discloses using a spoofed message to control a fax session, it does not disclose or fairly suggest 
detecting a spoofed message or connection. 

Turning now to the claims, Lee fails to teach of fairly suggest elements of 
independent claims 1, 8 and 15 thereby precluding prima facie anticipation or obviousness as is 
discussed in detail below. Applicants respectftilly request, therefore, that the rejections be 
withdrawn. 
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Claim Rejections Under 35 U.S.C. § 102 

A. Claims 1-2, 8-10, 15 and 17 are rejected under 35 U.S.C. § 102(b) as being 
unpatentable over U.S. Patent No. 5,828,468 to Lee et al. ("Lee"). 

Independent Claim 1 (Dependent Claims 2-7) 

Independent claim 1 is directed towards a method for detecting a spoofed network 
connection that includes "receiving a connection from a client" and "delaying sending a greeting 
message for a delay period." The Office Action does not describe with any particularity what, 
exactly, the Examiner contends is "receiving a connection." Based on the extensive portion of 
the Lee disclosure that was cited in the Office Action, the Examiner may argue that either of the 
two POPs or the destination fax machine may be construed as "receiving a connection." 
Whichever of these the Examiner may wish to construe as "receiving a connection," it is clear 
that Lee does not teach or fairly suggest any of these "delaying sending a greeting message for a 
delay period." Applicants respectfiilly submit that column 3, lines 13-57 of the Lee reference is 
completely silent as to "delaying sending" any type of data whether a "greeting message" or 
otherwise. Likewise, the remainder of Lee fails to teach or fairly suggest "delaying sending a 
greeting message." 

Independent claim 1 also includes the method step of "monitoring the connection 
during the delay period." Lee fails to teach or fairly suggest such "monitoring the connection 
during the delay period" at least because it fails to teach "delaying" and hence it cannot teach an 
associated "delay period." 

Independent claim 1 also includes the method step of "identifying the connection 
as the spoofed connection" if a command is received from the client before the greeting is sent. 
As was discussed above, Lee discloses transmitting a spoofed acknowledgement to the source 
fax machine under certain circumstances. Lee does not, however, teach or fairly suggest 
"identifying the connection as the spoofed coimection" at least because a) a spoofed 
acknowledgement is not equivalent to a "spoofed connection" and b) using such a message is not 
equivalent to "identifying" a "spoofed connection." 
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Accordingly, for the reasons set forth above, Applicants respectfully request that 
the rejection of claim 1 be withdrawn. Claims depending from claim 1 are also patentable based 
on the patentability of the base claim and fiurther in view of their additional limitations. 



Independent Claim 8 (Dependent Claims 9-14^ 

Independent claim 8 is directed towards a method for detecting a spoofed network 
connection that includes "receiving a first command at a server from a cUent" and "delaying [] a 
transmission of a reply." As discussed above, it is not clear what part of Lee the Examiner 
contends is, for example, "a server" or "a client." Even if some or all of the POPs and fax 
machines are construed to act as a "server" or a "client," it is clear that Lee does not teach or 
fairly suggest any of these "delaying [] a transmission of a reply" Applicants respectfully submit 
that column 3, lines 13-57 of the Lee reference is completely silent as to "delaying [] a 
transmission" of any type of data whether a "reply" or otherwise. Likewise, the remainder of Lee 
fails to teach or fairly suggest "delaying [] a transmission of a reply." 

Independent claim 8 also includes the method step of "monitoring a connection 
between the server and the client during the delay period." Lee fails to teach or fairly suggest 
such "monitoring" at least because it fails to teach "delaying" and hence it caimot teach an 
associated "delay period." 

Independent claim 8 also includes the method step of "identifying the connection 
as the spoofed connection" if a second command is received from the client before the reply is 
transmitted. As was discussed above, Lee discloses transmitting a spoofed acknowledgement to 
the source fax machine vmder certain circumstances. Lee does not, however, teach or fairly 
suggest "identifying the connection as the spoofed connection" at least because a) a spoofed 
acknowledgement is not equivalent to a "spoofed connection" and b) using such a message is not 
equivalent to "identifying" a "spoofed connection." 

Accordingly, for the reasons set forth above, Applicants respectfully request that 
the rejection of claim 8 be withdrawn. Claims depending from claim 8 are also patentable based 
on the patentability of the base claim and further in view of their additional limitations. 
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Independent Claim 15 (Dependent Claims 16-19) 

Independent claim 15 is directed towards an apparatus for detecting a spoofed 
network connection that includes a "detecting" means for detecting when a connection is 
established between the apparatus and a client device. The apparatus also comprises a 
"transmitting means" and a "means for delaying the transmitting means [] during a delay period." 
As discussed above, it is not clear what part of Lee the Examiner contends is equivalent to the 
claimed apparatus or the "client device." Even if some or all of the POPs and fax machines are 
construed to act as the apparatus or a "client device," it is clear that Lee does not teach or fairly 
suggest any of these "delaying the transmitting means [] during a delay period." Applicants 
respectfully submit that column 3, lines 13-57 of the Lee reference is completely silent as to 
"delaying [] the transmitting means" from transmitting any type of data whether a "reply," a 
"greeting message" or otherwise. Likewise, the remainder of Lee fails to teach or fairly suggest 
"delaying [] the transmitting means [] during a delay period." 

The apparatus of independent claim 15 also includes a means of "monitoring the 
connection to detect commands [from] the client device at least during the delay period." Lee 
fails to teach or fairly suggest such means for "monitoring . . . durmg the delay period" at least 
because it fails to teach means for "delaying" and hence it cannot and does not teach an 
associated "delay period." 

Accordingly, for the reasons set forth above, Applicants respectfully request that 
the rejection of claim 15 be withdrawn. Claims depending from claim 15 are also patentable 
based on the patentability of the base claim and further in view of their additional limitations. 

Claim Rejections Under 35 U.S.C. S 103 

A. Claims 3-7, 1 1-14, 16 and 18-19 are rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Lee in view of U.S. Patent No. 6,654,787 to Aronson et al. 
("Aronson") 

Independent Claims 1. 8 and 15 
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Independent claims 1, 8 and 15 are patentable over Lee in light of the remarks 
above. Aronson fails to teach or fairly suggest any of the limitations not taught by Lee. 
Therefore, based on the patentability of base claims 1, 8 and 15, Lee in view of Aronson is 
inadequate to establish a prima facie case of obviousness for dependent claims 3-7, 1 1-14, 16 
and 18-19 and Applicants respectfully request the rejection of these claims under 35 U.S.C. § 
103(a) be withdrawn. 

CONCLUSION 

In view of the foregoing. Applicants believe all claims now pending in this 
Application are in condition for allowance. The issuance of a formal Notice of Allowance at an 
early date is respectfully requested. 

If the Examiner believes a telephone conference would expedite prosecution of 
this application, please telephone the undersigned at 206-467-9600. 

Respectfully submitted, 



/Alan D. Minsk/ 
Alan D. Minsk 
Reg. No. 35,956 

TOWNSEND and TOWNSEND and CREW LLP 

Two Embarcadero Center, Eighth Floor 

San Francisco, California 941 1 1-3834 

Tel: 206-467-9600 

Fax:415-576-0300 
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